Miyaji Laboratory

Group Key Agreement (GKA) allows a large group of $n$ parties to share a common secret key over insecure channels efficiently, and thus parties in the group can encrypt and decrypt messages among group members by using a shared key. Secure communication within a large group has become an integral part of many applications, like ``Facebook'' and ``LinkedIn''. In fact, GKA is one of the most preferable way to provide us with enough security in today's multi-party settings.

GKA can be applicable to some ad-hoc wireless settings where computational resources of nodes or bandwidth of the channels are more restricted than wired ones. Therefore, the lower computational and communicational complexity, and also scalability (i.e. can be adaptively employed in various environments) are required in the construction of GKA protocols. However, most of the existing GKA's have some problems in the practicality. The first one is that, as Jarecki et al. indicate, the robustness for node fault is not enough. Robustness in this paper is a crucial property that assure correct execution of GKA protocol if some node faults happened, especially due to low-reliability of the communication channels or node fault rates that are non-negligible. The second problem is the performance limitations of traditional GKA, where a shared common group key is {\it symmetric}. Such a situation leads to the following problems (1) after a GKA protocol is executed, a key-confirmation process is required to guarantee whether all group members share the corresponding group key or not, and (2) there is no way to encrypt message if an encryptor is not a member of the corresponding group.

In general, evaluation standards for GKA are (1) round complexities (the number of broadcast or multicast per user), (2) computational complexities, and (3) communicational complexity, where the robustness is not always considered well. As mentioned above, core effectiveness of GKA deeply depend on the robustness: if some parties fail during the protocol execution in some non-robust protocol, then some other parties cannot share the common secret key without restarting the protocol from scratch. This increased the computational, communicational, and round complexity since total complexity of protocols in multiplied by the number of faults. Therefore, it is challenging to construct GKA which meets both efficiency and robustness.

Wu et al. proposed an elaborate solution of both ``additional key-confirmation" and ``available for inner-user only cases", called Asymmetric GKA (ASGKA), where a common ``group public key" can be established from the set of public keys of each group member. Anybody can compute such common public key, and therefore even if encryptors are not a member of a group, they can send an encrypted data to all group members. On the other hand, their (unauthenticated) ASGKA only considers passive adversaries who just eavesdrop on the communication channel. In general, a GKA is said to be ``authenticated" if active adversaries are caught (e.g., relay, delay, modify, interleave or delete the message flows). In the real environments, such active adversaries must be caught. Wu et al. have already mentioned that ASGKA secure against active attackers (AASGKA) may be constructed from authentication techniques, by using certification. However, every group members in ASGKA is required to update their own public information whenever the group member is changed, therefore if we utilize such authentication techniques, certifications of their public value have to be published each time, and it is inefficient. Zhang et al. proposed the first AASGKA scheme without requiring additional rounds. Each participant is armed with a private-public key pair, and a trusted key generation center (KGC) is employed to issue certificates for the participants. Zhang et al. proposed the first (one-round) AASGKA scheme by adopting identity-based encryption (IBE) settings (called IB-AASGKA). Each member has the identity as its (long-term) public key, and is issued a private key of its own identity from KGC. Although their IB-AASGKA achieves higher security than that of ASGKA easily, the construction technique is not efficient. In ASGKA scheme, since KGC is not assumed, each members have to publish signature using his own private key and construct signature matrix, therefore the computational complexity depends on group size. On the other hand, in IB-AASGKA setting KGC is assumed for the security purpose, ASGKA like technique is redundant. However, Zhang et al. apply the redundant technique to their construction of IB-AASGKA.

In all the above arguments, we make a proposal to the existing problems on GKA; (1) an efficient and robust GKA scheme, (2) a generic construction of IB-AASGKA based on Identity-Based Broadcast Encryption (IB-BE). The first one is $T$-robust scalable GKA with communicational and computational complexity $O(\log{n})$ for the size of $n$ parties. The second one is a novel and efficient construction technique using IB-BE which is a new cryptographic primitive.